To be able to forward traffic from your LAN to the Internet, we need to tell the kernel to allow ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward Default policies: Drop any incoming packets accept the rest. iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEP Masquerading will make machines from the LAN look like if they were the router iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Do not allow new or invalid connections to reach your internal network iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP Accept any connections from the local machine and lan iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT only accept from a certain ports iptables -A INPUT -i $WAN -p tcp -m tcp --dport 22 -j ACCEPT Accept related and established connections iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT On Mon, Jun 7, 2010 at 22:56, Nelson <[email protected]> wrote: > I've been Googling about port forwarding iptables and even though there's > result and I've applied it in my script, I can't make iptables forwading > request to another machine so I decided to ask help. > > eth0 is my Internet Interface (1.2.3.4 is the public ip) > eth1 is my Lan Interface > eth2 is my DMZ Interface > > My Apache test server is 10.0.1.150. I've squid running so all my Lan will > be redirected to port 8080 on interface eth1. I block all ports for my lan > export http. > > Below is my script: > > $iptables -F INPUT > $iptables -F OUTPUT > $iptables -P INPUT DROP > $iptables -P OUTPUT ACCEPT > $iptables -F FORWARD > $iptables -F -t nat > $iptables -P FORWARD DROP > $iptables -A FORWARD -i eth1 -j ACCEPT > $iptables -A INPUT -i eth1 -j ACCEPT > $iptables -A OUTPUT -o eth1 -j ACCEPT > $iptables -A FORWARD -i eth2 -j ACCEPT > $iptables -A INPUT -i eth2 -j ACCEPT > $iptables -A OUTPUT -o eth2 -j ACCEPT > $iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > $iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -o eth0 -j SNAT --to-source > 1.2.3.4 > $iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o eth2 -j MASQUERADE > $iptables -A INPUT -i lo -j ACCEPT > $iptables -A OUTPUT -o lo -j ACCEPT > $iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT > $iptables -I FORWARD -i eth1 -p tcp -m multiport --dport 0:79 -j REJECT > $iptables -I FORWARD -i eth1 -p tcp -m multiport --dport 81:65535 -j REJECT > $iptables -I FORWARD -i eth1 -o eth2 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT > $iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT > $iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT > $iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i > eth0 -j ACCEPT > $iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT > --to-port 8080 > $iptables -A INPUT -p tcp -i eth0 --dport 3500 -j ACCEPT > $iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT > $iptables -I FORWARD -i eth0 -p tcp -m state --state NEW -d 10.0.1.150 > --dport 80 -j ACCEPT > $iptables -t nat -I PREROUTING -i eth0 -p tcp -d 1.2.3.4 --dport 80 -j DNAT > --to-destination 10.0.1.150:80 > $iptables -A INPUT -i eth0 -p tcp -m limit --limit 1/s --dport 0:65535 -j > LOG --log-prefix "tcp connection: " > $iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --dport 0:65535 -j > LOG --log-prefix "udp connection: " > $iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP > $iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP > > The relevant line here as far as I know is: > > $iptables -I FORWARD -i eth0 -p tcp -m state --state NEW -d 10.0.1.150 > --dport 80 -j ACCEPT > $iptables -t nat -I PREROUTING -i eth0 -p tcp -d 1.2.3.4 --dport 80 -j DNAT > --to-destination 10.0.1.150:80 > > I can telnet port 80 of 10.0.1.150 on the server. I can even view test page > using links on the server. > > Can anyone tell me what's my mistake here. Linux newbie in iptables. > > -- > You received this message because you are subscribed to the Linux Users > Group. > To post a message, send email to [email protected] > To unsubscribe, send email to [email protected] > For more options, visit our group at > http://groups.google.com/group/linuxusersgroup -- You received this message because you are subscribed to the Linux Users Group. To post a message, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit our group at http://groups.google.com/group/linuxusersgroup
